The SonicWall Capture Labs Threat Research team have recently observed a ransomware threat known as Amnesia. As predicted previously by Sonicwall, the trend of increasing the ransom payment demand has continued. This time last year, ransom demands only averaged a few hundred US dollars for file decryption. Most ransomware today have increased this amount to around 1 Bitcoin ($2629 at the time of writing this alert) as is the case here with the Amnesia ransomware.

Infection Cycle:

The Trojan makes the following DNS request:

iplogger.info

The Trojan adds the following files to the filesystem:

%APPDATA%\sevnz.exe (copy of original file) [Detected as GAV: Amnesia.RSM (Trojan)]

IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT (copied into every directory containing encrypted files)

All files that have been encrypted use the following filenaming convention:

{encrypted filename}.[unlocking.guarantee@aol.com]

The Trojan adds the following keys to the registry, the first of which is a unique ID for the infection: